This is Episode No. 69 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 15 to 30 minute summary.

The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well.

The show is released as a Podcast on iTunes, Overcast, Android, or RSS—and as a Newsletter which you can view and subscribe to or read below.

Infosec news

Wikileaks released a massive dump of CIA files, now called Vault 7, to the public last week. The core of the content was information on various techniques the CIA could use to gain access to target systems, including Android, iOS, consumer routers, consumer Smart TVs, etc. The leak has spawned massive discussion on the internet about how new or old the exploits/attacks were, who the likely source of the leak was, whether Russia was involved, etc. The biggest misconception that came out of the whole thing was that they had hacked Signal and other secure messengers. They didn't. They hacked Android, which allowed them to steal the information before it got to Signal, et al. Anyway, my personal opinion is that this is most likely a continuation of the Russian campaign to discredit attacks on Trump, and thus to improve Russia's position in the world. Link

Russian espionage and Russian cybercrime appear to be more linked than most people thought. Evgeniy Bogachev is a known cybercrime player out of Russia, but he's also been implicated in a lot of the election-related activity from last year. He also appears to live quite comfortably within Russia, much like a prized asset as opposed to an unwanted criminal. Interesting analysis from the New York Times. Link

Verifone, the largest maker of credit card terminals used in the United States, is investigating a break of internal networks that might have impacted numerous companies running its POS solutions. Verifone is saying that it was merely an internal network breach and that it didn't affect their payment system products. Link

Brian Krebs reported that Dahua, the second largest IoT manufacturer of things like security cameras and DVRs just patched a major hole that allowed attackers to completely bypass authentication in some significant percentage of their devices. You could basically request the password list for any device, get a list of users and hashes back, and then send any of them in your own request to get access. Link

A House committee has proposed a law requiring employees to undergo genetic testing as part of workplace wellness programs, and will allow penalties of up to 30% of the cost of the insurance if they don't provide the data. Link

A major vulnerability was found in Apache Struts 2 web application framework last week, and scans were very active looking for vulnerable targets. The flaw was in the Jakarta multipart parser upload function, and it let an attacker send a malicious content-type value and execute arbitrary system commands. Make sure you're patched. Link

WordPress issued a new release (4.7.3) to address six vulns, including some XSS, a URL validation issue, file deletion, and a CSRF issue. Patch early, patch often. Link

Consumer reports is adding cybersecurity to their list of rating criteria. The layout for the requirements looks pretty decent as well. Link

An Intel Security report says 93% of companies have security strategies, but only 49% are fully implementing them. I think 49% is quite high. Either they didn't respond truthfully or their strategies are really weak. If half of the companies I went to had a security strategy and were fully implementing it I'd be overjoyed. It ain't true. I'd put that number closer to 5%. Link

Cornell did some interesting research on mobile MAC address randomization. They claim they can defeat randomization on Android with 96% accuracy using one technique, and all main platforms leveraging a previous vulnerability. Link

CA bought Veracode for $614M. So let me get this right: Fortify is being sold to Microfocus. WhiteHat is basically dead because all their talent left. And now Veracode has been sold to CA, which means we probably won't hear much from them anymore. Who's left? CheckMarx has to be loving this. Link

InfoSec Sales Engineers evidently make between $180K and $220K, making them higher paid than security engineers and cloud security engineers. It's evidently the need for a combination of skill sets, including technical skills, soft skills, and (although they didn't mention it) the willingness to travel and interact with customers constantly. Link

IBM has over 600 employees working on the possibility of replacing bloated and unwieldy supply chain documentation with blockchain technology. Walmart and Maersk are among the companies who are interested. Link

Twitch, an Amazon company, has started rolling out a Twitter-like competitor called Pulse. It's not quite a Twitter clone, though, because it's really meant to just magnify Twitch content, so it ends up looking a lot like a combination of a push-based RSS system, a sharing platform for Twitch media, and a commenting system. Link

The head of the largest advertising firm says Amazon is a major threat to them. I think it's very smart for them to realize this. It's the Google for products, and Amazon is just scary good at almost everything they touch. Link

Google has purchased Kaggle, a company that hosts data science and machine learning competitions. Link

AT&T and T-Mobile are in the middle of a massive rate plan battle that is really making it nice for customers. They're especially focused on unlimited data plans. If you're a customer of either of these companies, and especially if you use your plan for tethering, consider going in to see if you can upgrade to a better / cheaper plan. Link

Human news

There's a bunch of new research on the benefits of fasting to the human body. This study talks about alternate day calorie restriction, where you eat far fewer calories one day, and then far more the next. It's early, but this appears to be some of the most promising research on weight loss and immune system health in a long time. Link

Why the Future Doesn't Need Us. One of the first essays I ever read on the topic of future technologies and how they might affect humanity. It's from 2000 and written by Bill Joy. Highly recommended. Link

AuthMatrix — A Burp extension that provides a simple way to test authorization in web applications and services. Link

How to permanently update Burp's attack strings by editing the .jar file. Link

An interesting little visualization of different infosec career jump points. Link

NAND has released a fascinating study on 0-day and exploit data and how much harm is caused by various entities sitting on them vs. releasing them. Link

Bash Bunny — Hak5's latest pentest tool. It emulates trusted USB interfaces like ethernet, serial, flash storage and keyboards, etc., and as a result it receives tons of sensitive data from the system. Link

How online gamers use malware to cheat. Particularly interesting to me since I'm currently working on a game security project. Link

System Design Primer — Learn how to design large scale systems. Prep for a system design interview. Link

Notes

I'll be presenting at HouSecCon with my buddy Jason Haddix on the 23rd of this month. The presentation is on The Game Security Framework, and we're going to be talking all about the project's structure, the data we have so far, and where we're taking it. Link

Getting closer on my OSINT primer. I have onsite customer work next week, but I'm hoping to still finish it within a week or so.

I'm almost done with Sapiens and I'm moving on to Homo Deus, by the same author. By the way, it's Deus (as in the second version of humans), which makes more sense than what I mentioned in the podcast last week.

I finally removed the single ad I had on my website and moved to a sponsorship model. The site is currently sponsored by Netsparker, a strong web application scanner I've used off and on for many years. It's nice to not have an ad network (JavaScript) running on the site anymore, even though the one I used wasn't bad at all. Now it's just text and a link—super clean. If you need a good web scanner, head over to my site's sidebar. Link

Recommendations

Remember to focus on your Eulogy attributes, and not just your Resume attributes. If you were to die tomorrow, and your eulogy were next week, what would people say about you? Are they the things that you would want them to say? Take the actions that would make that the case.